How to write a script for Procdump ?

Target:  Aspack 1.08.04 

Availability:  http://www.entechtaiwan.com/aspack.htm  

Tools:  ProcDump32 1.5 
              Softice 4.0  

Alexey Solodovnikov, the author of Aspack,has left a new version of his shit. The compression ratio is still far from that  UPx...  
The unpacking is slightly different from version 1.08.03.  Hum...We will write a script to automate unpacking with Procdump 1.5 .

Step 1 

I thought that the exe of Aspack 1.08.04 had been compressed with this last but not . The author added a trick over (polymorphic 
code).  And as I have not found a proggy compressed with version 1.08.04, I took the notepad.exe from my windaube and I com-
pressed it with Aspack 1.08.04... First , note the original entry point of notepad.exe : 4010CC. Takes Symbol loader and opens the 
compressed notepad.exe.  Miss chance, softice do not give us the hand:  the notepad runs directly.  No panic, it is right the flags 
sections which were changed. Takes procdump 1.5 and  goes on ' PE Editor'.  Open our notepad and  click on ' Sections'.  Make a 
right-click  on the section ' text' and choose ' Section' Edit.  Procdump indicates to you like ' Characteristics Section:  C0000040 ' 
Thus replace C0000040 by E0000020.  Take again Symbol Loader and open your notepad.exe. This blow, Softice recover the way...

Step 2  

Start by tracing the proggy with the F10 key .  Quickly, we see this: 

015F:0040E0F4  PUSH      00 -------- = 6A,00 in hexa  
015F:0040E0F6  PUSH      EAX-------- = 50 in hexa 
015F:0040E0F7  CALL      [EBP+00442949]
015F:0040E0FD  LEA       EAX,[EBP+00442C1D]
015F:0040E103  PUSH      EAX 
015F:0040E104  RET

We are at the beginning of the unpacking routine : there is not still the entry point of our proggy unpacked.  We note the correspon-
dence hexa of the addresses 40E0F4 and 40E0F6 coze that will be useful to you for our script. We continue the trace of the proggy 
with the F10 key . ATTENTION! The trace to arrive at the end of the unpacking routine is long!  This trace is similar to version 
1.08.03:  the breakpoints are identical!  Therefore while tracing we arrive at this: 

015F:0040E5AB  MOV       EAX,[EBP+00442A31] 
015F:0040E5B1  PUSH      EAX -------------------- = 50 in hexa 
015F:0040E5B2  ADD       EAX,[EBP+004430A8] ----- = 03,85,+address in hexa 
015F:0040E5B8  POP       EBX  
015F:0040E5B9  OR        EBX,EBX 
015F:0040E5BB  MOV       [EBP+00442EE1],EAX
015F:0040E5C1  POPAD  
015F:0040E5C2  JNZ       0040E5CC 
015F:0040E5C4  MOV       EAX,00000001 
015F:0040E5C9  RET       000C   
015F:0040E5CC  PUSH      004010CC---------------  original entry point 
015F:0040E5D1  RET------------------------------  The last instuction of unpacking.

Good, if you not understand how I arrived here, read my tutor on Transparence99 (in DRaPeauNoiR 3 or on the official site of 
Procdump):  it is EXACTLY the same step... Therefore we arrive at address 40E5CC and we see a pretty PUSH 004010CC.  Do 
you remember the correspondence of this value?  Indeed, it is your original entry point.  If you carry out the RET at the address 
40E5D1, you go find yourselves at the beginning of the code of notepad, in 4010CC.  We deduce from it easily that this RET is the 
last instruction of the proggy. Note  the Hexa correspondences of addresses 40E5B1 and 40E5B2 for the needs from our script.  For 
the address 40E5B2,  just note that the bytes of the beginning of the instruction (03,85). The 4430A8 will be inevitably different for 
another proggy that the notepad.  Normal, considering that this address will not be the same one for another progg. Therefore there 
will be another address with place 4430A8 and thus a different correspondence hexa... 

Step 3  

Some recalls on the various orders which I have used for this script:

LOOK:  it is with this order that procdump reference the signature of the cryptor or of the compressor .This command search a 
hexadecimal chain in the exe . If the chain is found, that means it is the good script.

BP:    with this command,you put a breakpoint (even principle that Softice) on the current memory address.  This order is preceded 
by  LOOK.You'll understand in few minutes.

STEP:  it is with this instruction that you will finish your script. STEP starts a step by step analysis of the code, which explains 
sometimes the slowness of the dump.  

ADD:   add a value at the current memory address

WALK:  this command executes an instruction (in the proggy that you dump). 

EIP:   EIP recovers the next address of the proggy as being the original entry point of the program:  VERY practical!... 

Script for Procdump is not very hard.  we have raise a first chain hexa in the first disassembling (Step 1) .It's this chain which we 
will make seek with procdump. We will also put a breakpoint at the current address of the chain hexa found.  The beginning of 
script is thus:

L1=LOOK 6A,00,50  ------- seek 6A,00,50
L2=BP ------------------- put a breakpoint 

Then, we found that the end of the unpacking routine  was in 40E5D1. I have chooses seek like second chains hexa:  50,03,85 (step 
2).  Like you it notice, this chain hexa corresponds to the address 40E5B1 which is  not the last instruction of the proggy.  To go at 
the address 40E5D1, it is necessary to add 20 (in hexa).  To do that, I used order ADD.  The continuation of script is then:  

L3=LOOK 50,03,85 --------- seek 50,03,85 
L4=ADD 20 ---------------- add  20h at current address
L5=BP -------------------- put a breakpoint 

Good, there is practically all! Now,we must recover the original entry point . I have used the order EIP to do that.But we can not use 
EIP immediately:  we are at the address 40E5D1 and not at the beginning of the proggy unpacked. It is necessary to carry out the 
RET of address 40E5D1 to find itself in 4010CC, corresponding to the first instruction of the proggy unpacked.  Order WALK will 
enable us to do that. Our script is then:

L6=WALK --------- exececute an instruction 
L7=EIP ---------- recover original Entry point
L8=STEP---------- Step by step analysis 

YeaR !  you have your almost complete script!  We will put some options by default for the script .  Final script is thus:  

-------------------------------------------- cut here----------------------------------------

P1D=Aspack108.4 ----------- give a number & a name  


[Aspack108.4]

L1=LOOK 6A,00,50
L2=BP
L3=LOOK 50,03,85 
L4=ADD 20
L5=BP
L6=WALK
L7=EIP
L8=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000
-------------------------------------------- cut here----------------------------------------

You can test this script on several proggyz compressed with Aspack 1.08.04:  it goes without problem!  @+++++++++++  


						TaMaMBoLo